From 9849cce0dfd7a5ff58d70955519d7c8d0fd9fa4a Mon Sep 17 00:00:00 2001 From: Vinayak Goyal Date: Fri, 28 Jun 2024 18:26:43 +0000 Subject: [PATCH] KEP-24: Graduate Kubernetes' support for AppArmor to GA. Signed-off-by: Vinayak Goyal --- .../feature-gates/apparmor.md | 4 ++ .../security-context.md | 37 +++++++++++++++++++ content/en/docs/tutorials/_index.md | 2 +- 3 files changed, 42 insertions(+), 1 deletion(-) diff --git a/content/en/docs/reference/command-line-tools-reference/feature-gates/apparmor.md b/content/en/docs/reference/command-line-tools-reference/feature-gates/apparmor.md index 005105630bf0e..404ea8181ca6c 100644 --- a/content/en/docs/reference/command-line-tools-reference/feature-gates/apparmor.md +++ b/content/en/docs/reference/command-line-tools-reference/feature-gates/apparmor.md @@ -9,6 +9,10 @@ stages: - stage: beta defaultValue: true fromVersion: "1.4" + toVersion: "1.30" + - stage: stable + defaultValue: true + fromVersion: "1.31" --- Enable use of AppArmor mandatory access control for Pods running on Linux nodes. See [AppArmor Tutorial](/docs/tutorials/security/apparmor/) for more details. diff --git a/content/en/docs/tasks/configure-pod-container/security-context.md b/content/en/docs/tasks/configure-pod-container/security-context.md index b176d20df51c5..9256fd36d616d 100644 --- a/content/en/docs/tasks/configure-pod-container/security-context.md +++ b/content/en/docs/tasks/configure-pod-container/security-context.md @@ -419,6 +419,43 @@ securityContext: localhostProfile: my-profiles/profile-allow.json ``` +## Set the AppArmor Profile for a Container + +To set the AppArmor profile for a Container, include the `appArmorProfile` field +in the `securityContext` section of your Pod or Container manifest. The +`appArmorProfile` field is a +[AppArmorProfile](/docs/reference/generated/kubernetes-api/{{< param "version" +>}}/#apparmorprofile-v1-core) object consisting of `type` and `localhostProfile`. +Valid options for `type` include `RuntimeDefault`, `Unconfined`, and +`Localhost`. `localhostProfile` must only be set if `type: Localhost`. It +indicates the name of the pre-configured profile on the node. The profile needs +to loaded onto all nodes, since you don't know where the pod will be scheduled. +Approaches of setting up custom profiles are discussed in +[Setting up nodes with profiles](/docs/tutorials/security/apparmor/#setting-up-nodes-with-profiles). + +Here is an example that sets the AppArmor profile to the node's container runtime +default profile: + +```yaml +... +securityContext: + appArmorProfile: + type: RuntimeDefault +``` + +Here is an example that sets the AppArmor profile to a pre-configured profile +named `k8s-apparmor-example-deny-write`: + +```yaml +... +securityContext: + appArmorProfile: + type: Localhost + localhostProfile: k8s-apparmor-example-deny-write +``` + +For more details please see, [Restrict a Container's Access to Resources with AppArmor](/docs/tutorials/security/apparmor/). + ## Assign SELinux labels to a Container To assign SELinux labels to a Container, include the `seLinuxOptions` field in diff --git a/content/en/docs/tutorials/_index.md b/content/en/docs/tutorials/_index.md index 97a3bacbdf6a5..d9c865c5f7c6c 100644 --- a/content/en/docs/tutorials/_index.md +++ b/content/en/docs/tutorials/_index.md @@ -49,7 +49,7 @@ Before walking through each tutorial, you may want to bookmark the * [Apply Pod Security Standards at Cluster level](/docs/tutorials/security/cluster-level-pss/) * [Apply Pod Security Standards at Namespace level](/docs/tutorials/security/ns-level-pss/) -* [AppArmor](/docs/tutorials/security/apparmor/) +* [Restrict a Container's Access to Resources with AppArmor](/docs/tutorials/security/apparmor/) * [Seccomp](/docs/tutorials/security/seccomp/) ## {{% heading "whatsnext" %}}